MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4f7c5d0b04ff56a3134b2edfcef0a690b4d0f68ff047cbf624ab12d5dd8998d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4f7c5d0b04ff56a3134b2edfcef0a690b4d0f68ff047cbf624ab12d5dd8998d
SHA3-384 hash: 21b2e9f2f7c7b85c06e16757dfeea174fef4f9d189094cb8b58d5a0f60e178dec3022dd2a9aaff62c3d4da1c13ff1a3a
SHA1 hash: 32de8f40f074317a8fa32fdbd3f38e38bc39947e
MD5 hash: 2a6aec6a665529ab13edfc4b6f26ebeb
humanhash: green-colorado-bluebird-charlie
File name:2a6aec6a665529ab13edfc4b6f26ebeb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:356'352 bytes
First seen:2022-11-07 15:10:08 UTC
Last seen:2022-11-07 17:13:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f7fb97dfbf398a70e522df104072582 (3 x RedLineStealer, 1 x RecordBreaker)
ssdeep 6144:R51PihhECV2woIcztK7LJv8evBGROAOzxhTlYBYuil+x9kxejShapkx5oHQwRXS+:R51PgSCV2woIcXOpeB4lVMjShaOxmH1h
TLSH T19674CF2174C7E032E1B7443445E5EB74963FB9600B124DEBB3A4673E4E702D1E936AEA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
79.137.204.112:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2a6aec6a665529ab13edfc4b6f26ebeb.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 15:11:32 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/50fd6303-2606-44fd-ba82-3bb18adf96b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/330014/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.33947.6455.7702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Searching for the window
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63692006d8b92f0ee64c71a8/reports/e9b1fc1d-77e1-4202-8ac4-9029f9554635/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f9c3077-dc7b-4d90-9b86-521f4a25b314
Result
Threat name:
Laplas Clipper, MicroClip, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107376
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740038 Sample: ndkqXR67bn.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 88 pool.hashvault.pro 2->88 90 clipper.guru 2->90 112 Snort IDS alert for network traffic 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for URL or domain 2->116 118 16 other signatures 2->118 10 ndkqXR67bn.exe 1 2->10         started        13 svcupdater.exe 1 2->13         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 dnsIp5 136 Contains functionality to inject code into remote processes 10->136 138 Writes to foreign memory regions 10->138 140 Allocates memory in foreign processes 10->140 142 Injects a PE file into a foreign processes 10->142 20 AppLaunch.exe 15 9 10->20         started        25 WerFault.exe 23 9 10->25         started        27 conhost.exe 10->27         started        100 clipper.guru 45.159.189.115, 49704, 49706, 80 HOSTING-SOLUTIONSUS Netherlands 13->100 144 Multi AV Scanner detection for dropped file 13->144 146 Creates files in the system32 config directory 16->146 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        signatures6 process7 dnsIp8 92 79.137.204.112, 49699, 80 PSKSET-ASRU Russian Federation 20->92 94 api.ip.sb 20->94 96 ezisc.com 35.213.155.151, 443, 49701, 49702 GOOGLEUS United States 20->96 80 C:\Users\user\AppData\Local\...\setup.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\Local\...\ofg.exe, PE32+ 20->82 dropped 84 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->84 dropped 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->120 122 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->122 124 Tries to harvest and steal browser information (history, passwords, etc) 20->124 126 Tries to steal Crypto Currency Wallets 20->126 33 brave.exe 2 20->33         started        37 ofg.exe 2 20->37         started        39 setup.exe 11 20->39         started        98 192.168.2.1 unknown unknown 25->98 86 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->86 dropped file9 signatures10 process11 file12 72 C:\Users\user\AppData\Local\Temp009.tmp, PE32+ 33->72 dropped 74 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 33->74 dropped 102 Multi AV Scanner detection for dropped file 33->102 104 Writes to foreign memory regions 33->104 106 Modifies the context of a thread in another process (thread injection) 33->106 110 3 other signatures 33->110 41 cmd.exe 33->41         started        44 cmd.exe 33->44         started        46 powershell.exe 19 33->46         started        52 3 other processes 33->52 76 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 37->76 dropped 48 cmd.exe 1 37->48         started        78 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 39->78 dropped 108 Encrypted powershell cmdline option found 39->108 50 powershell.exe 39->50         started        signatures13 process14 signatures15 54 conhost.exe 41->54         started        66 10 other processes 41->66 128 Modifies power options to not sleep / hibernate 44->128 56 conhost.exe 44->56         started        68 4 other processes 44->68 58 conhost.exe 46->58         started        130 Uses cmd line tools excessively to alter registry or file data 48->130 132 Uses schtasks.exe or at.exe to add and modify task schedules 48->132 134 Uses powercfg.exe to modify the power settings 48->134 60 conhost.exe 48->60         started        62 schtasks.exe 1 48->62         started        64 conhost.exe 50->64         started        70 2 other processes 52->70 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4f7c5d0b04ff56a3134b2edfcef0a690b4d0f68ff047cbf624ab12d5dd8998d/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-04 00:44:11 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2t34lufqj72wumjuwlw7z3yknefu2d3i74chzp3cjkys2xoytggq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@wuz1muu evasion infostealer spyware
Link:
https://tria.ge/reports/221107-skk4msfdbp/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
79.137.204.112:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2165a484-5f46-4d96-8196-08cccba4c4e7
Unpacked files
SH256 hash:
ef8c5d718e1886c810c361ad14d62894d2bfe90c329d0a5e6161ff7ddfffdd84
MD5 hash:
2573f76b8b51a351bb5017cf2e9afbf1
SHA1 hash:
17a213491793720a6fddf08b707f2fc701515c5e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/bcabf0f5-55c1-461a-b10a-ee0b66c33a68/
SH256 hash:
d4f7c5d0b04ff56a3134b2edfcef0a690b4d0f68ff047cbf624ab12d5dd8998d
MD5 hash:
2a6aec6a665529ab13edfc4b6f26ebeb
SHA1 hash:
32de8f40f074317a8fa32fdbd3f38e38bc39947e
Link:
https://www.unpac.me/results/bcabf0f5-55c1-461a-b10a-ee0b66c33a68/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4f7c5d0b04f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4f7c5d0b04ff56a3134b2edfcef0a690b4d0f68ff047cbf624ab12d5dd8998d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330014/

Comments